Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Julia Kirby, Senior Manager Deloitte & Touche, LLP Regulatory Consulting Group April 11, 2006 PowerPoint PPT Presentation


  • 156 Views
  • Uploaded on
  • Presentation posted in: General

At the Crossroads – Privacy and Information Security 20 th Annual National Training Conference Fiduciary and Investment Risk Management Association Inc. ™. Julia Kirby, Senior Manager Deloitte & Touche, LLP Regulatory Consulting Group April 11, 2006. Agenda.

Download Presentation

Julia Kirby, Senior Manager Deloitte & Touche, LLP Regulatory Consulting Group April 11, 2006

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

At the Crossroads – Privacy and Information Security20th Annual National Training ConferenceFiduciary and Investment Risk Management Association Inc. ™

Julia Kirby, Senior Manager

Deloitte & Touche, LLP

Regulatory Consulting Group

April 11, 2006


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Agenda

The purpose of this presentation is to briefly describe regulatory developments related to privacy and information security. Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte & Touche LLP shall not be responsible for any loss sustained by any person who relies on this presentation. For complete regulatory requirements, please refer to the text of the rules themselves.


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Overview – At the Crossroads


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

The Balancing Act – Privacy & Information Security

Financial institutions must balance growing expectations while complying with the current legal environment.

Expectations

Compliance

  • Customer privacy

  • Information security

  • Convenience of electronic services

  • Ethical behavior

  • Local/state laws

  • Federal regulations

  • Regulatory agency guidelines

  • Investigations and litigation


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Expectations

  • Centrally-managed security facilitates changes in procedures and technology

  • Records management provides consistent standards for managing customer and corporate information

  • Conforming to records management policy guidelines promotes ethical corporate behavior throughout the organization

Compliance

  • Retention is no longer sufficient - retention, retrieval, destruction, and security are now considered in regulatory examinations

  • Legal environment is constantly changing – a flexible framework is needed to adapt to new retention periods and record types

  • Records management aids document discovery in investigations and lawsuits

A Tool to Help Along the Way

Records management is a risk-focused tool that can help manage expectations and maintain compliance.

Factor

How Records Management Can Help


Objective

Objective

The goal of records management is to control and mitigate an organization’s exposure to risk.

  • Retention Requirements

  • Customer Privacy

Compliance

  • Government Investigations

  • Regulatory Sanctions

  • Media Headlines

RISK

Reputation

Litigation

  • Sufficient vs. Excessive Recordkeeping


Compliance risk

Banc of America Securities

Violations of “the recordkeeping and access requirements of various securities laws” (March 2002)

SEC

$10 million

Compliance Risk

Recent compliance failures have placed greater public scrutiny on corporate records management practices.

Company

Failure

Sanctioning Body

Fine

J.P. Morgan

“Failed to preserve for three years…all electronic mail communications”(February 2005)

NASD, NYSE, SEC

$2.1 million

Brokerage Firms (4)

Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004)

SEC

$3.1 million

Brokerage Firms (5)

Violations of “record-keeping requirements concerning e-mail communications” (December 2002)

SEC

$8.25 million


Litigation risk

Merrill Lynch

PAZ Securities, Inc.

Bear, Stearns & Co., Inc.

UBS Warburg LLC

Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005)

In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004)

Failed to effectively respond to NASD subpoena of various records (October 2005)

Conflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002)

$300,000

Expelled from NASD

$10,000

$100 million

Litigation Risk

The risk of incurring litigation or failing to meet legal responsibilities can also have financial impact for an organization.

Company

Event

Monetary Impact ($)


Reputational risk

Merrill Lynch

Announcement of investigation by NY AG Elliot Spitzer (April 2002)

1 month

$11 billion

Insurance Firms (4)

NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004)

4 trading days

$26 billion

AIG

Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006)

11 months

$59 billion

Reputational Risk

Investigations and/or negative media headlines can result in dramatic changes in the market value of a company.

Company

Event

Timeframe

Change in Market Value


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Driving Forces


Driving forces in records management

Consumer Needs

Convenience and cost are forcing new information delivery strategies that paper-based systems cannot deliver

Regulation

Government and industry are aligned to implement laws that encourage the elimination or reduction of paper

Legal Discovery

Electronic discovery is becoming more common as electronic records management increases

Records Retention Costs

Unit prices of traditional vs. electronic records retention (at scale) are incomparable

Technology

Increasing reliability and decreasing costs lead to limitless applications of technology

Market

Traditional records management firms are hungry for new revenues and view electronic services as a logical next step

Driving Forces in Records Management

The growing importance of records management has led to changes in the marketplace, government, and industry.

Force

Impact


Vast and complex environment

Banking Regulations

Court Decisions

Foreign Jurisdictions

State Law

Universe of Record Retention Requirements for International Financial Institutions*

Internal Revenue Code

International SupervisoryBody Requirements

Federal Regulations

Evolving Technology

Federal Laws

Securities Laws

Bank Records

Vast and Complex Environment

The universe of retention requirements applicable to an organization’s activities has grown to several thousand and is continually evolving.

*These are provided as an example. Seek counsel’s advice regarding requirements applicable to your organization.


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Implementation Issues


Implementation issues

Implementation Issues

Each of the major components of records management presents different implementation issues.

Governance Structure

Processes/ Procedures

Key Components

Retention Schedule

Warehouse

E-Mail/Electronic

Management

Policy

Records Management Program


Policy

Policy

A comprehensive policy is critical to communicating and implementing a records management program.

Issue

Description

Approval

Approval may be required from all business units, a lengthy process which can significantly delay implementation

Consistency

Records management must be consistent with existing bank policies, i.e. ethics, data security, e-mail

Enforcement

Enforcement of the policy must be incorporated into the self-assessment or audit processes

Training

Logistical obstacles must be overcome in training all employees and new hires


Retention schedule

Retention Schedule

The retention schedule must capture all applicable requirements while remaining user-friendly for the business units.

Issue

Description

Scope

Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries

Complexity

Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions

Maintenance

Organizations must be able to easily update the retention schedule to account for new requirements

Ease of Use

Business users must be able to easily lookup a record and determine its retention period


Governance

Governance

Commitment and communication are vital to successful program governance.

Issue

Description

Resources

Records management responsibilities must be added without overburdening existing roles

Accountability

Every employee impacts records management, from the CEO to the new hire

Management Support

Consistent commitment from the top facilitates compliance throughout the organization

Communication

Communication is key to establishing a culture where records management is emphasized


Processes procedures

Processes/Procedures

Secure processes are required to ensure effective storage, retrieval, and destruction of bank records.

Issue

Description

Retrieval

Legal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creator

Storage

Storage of off-site itemsmust be documented and transported consistently

Destruction

Complicated destruction procedures are needed to offset advances in forensic recovery analysis

Security

Retrieval, storage, and destruction processes must be invulnerable to unauthorized access of data


Warehouse

Warehouse

Third-party warehousing has far reaching consequences beyond records management.

Issue

Description

Logging

A consistent logging procedure is necessary to ensure storage, retrieval and destruction

Vendor Reputation

The reputation of the vendor will directly correlate with the reputational risk to the bank

Business Continuity

Warehouses must be integrated with business continuity plans to recover from disaster

Contract

Third-party vendor requirements must be applied


E mail and electronic records

E-Mail and Electronic Records

Effective e-mail management mandates changes in systems as well as corporate behavior.

Issue

Description

System Functionality

Management of electronic records is dependent on system search, backup, and restoration capabilities

Volume

System storage capacity is finite and average industry volume is excessive

Desktop Archiving

E-mail records on personal workstations are accessible as part of a legal or regulatory inquiry

Misconceptions

All e-mails are business records, regardless of the content


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Critical Success Factors


Initial approach

Initial Approach

Evaluating the current state and envisioning the ideal state are the first steps to be taken.

1.

Review Policies and Procedures

2.

Identify Existing Records

3.

Organize a

Team

4.

Develop a

Vision

  • Assess existing:

    • Documentation types

    • Retention processes

    • Security procedures

    • Staffing commitment

    • Storage opportunities and capabilities

  • Conduct an inventory of existing records to determine:

    • Record types

    • Storage media

    • Security classification

    • Record location

    • Volume

  • Forming a team requires:

    • Cross-functional leadership

    • Commitment from senior management

    • Defined roles and responsibilities

  • A records management program must consider:

    • Corporate culture

    • Infrastructure

    • Timing


Critical success factors

Critical Success Factors

  • Focus on practical and implementable policy

Practicality

  • Effective warehouse management

  • System solutions

  • Understanding of support infrastructure

  • True organizational commitment and effort

  • Training and communication

Infrastructure

Commitment

Critical Success Factors

  • Anticipate long-term needs and trends

Long-Term

Vision

Expertise

  • Access to legal and regulatory expertise


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Questions and Answers


Julia kirby senior manager deloitte touche llp regulatory consulting group april 11 2006

Contact information:

Julia Kirby

Deloitte & Touche LLP

555 12th Street N.W., Suite 500

Washington, D.C. 20004-1207

202-879-5685

[email protected]


  • Login